Systems and methods for graduated suspicious activity detection

ABSTRACT

Systems and methods for evaluating electronic value transfers. Various of the methods include graduating a defined affinity between transactions to increasing levels of scrutiny. At an increased level of scrutiny, reports can be generated indicating suspicious activity and/or interdiction procedures can be implemented to reduce the occurrence of the detected suspicious activity. Various of the systems are tailored to implement the aforementioned methods.

CROSS-REFERENCES TO RELATED APPLICATIONS

The present application is a Continuation-in-Part of U.S. patentapplication Ser. No. 10/091,000, entitled “Money Transfer EvaluationSystems and Methods”, and filed by Degen et al. on Mar. 4, 2002. Theaforementioned patent application is assigned to an entity commonherewith, and is incorporated herein by reference for all purposes.

BACKGROUND OF THE INVENTION

This invention is related to the field of electronic financialtransaction, and in particular to electronic value or money transfers.More specifically, the invention is related to systems and methods toevaluate such transactions for suspicious activities.

Electronic transactions play an important role in today's economy. Suchtransactions may include, for example, ACH transactions, credit cardtransactions, wire transfers, bank account transfers, and the like. Suchtransactions may be performed in a variety of ways, including, forexample, by using the Internet, by using a phone to contact a servicerepresentative or an IVR system, by an in-person visit to a financialinstitution or money transfer location, and the like. For example, toperform a money transfer transaction a sender may visit a money transferlocation and fill out a money transfer application. This application mayrequest the sender's name, the name of the recipient and the amount ofmoney to be transferred. This information is transmitted to a centraldatabase, and the money to be transferred is collected from the sender.When ready to receive the money, the recipient may proceed to a pick-uplocation and provide the proper identification. The database is accessedto confirm the recipient and the determine the amount of money to bepaid to the recipient. After payment, the date and time of payment mayalso be transmitted to the database.

Unfortunately, it has been reported that some have attempted to abusesuch money transfer systems including those associated with organizedcrime, drug dealers, terrorist organizations and the like. Variousprocedures exist to curb such abuses. For example, the United States'government has passed laws that encourage reporting of certainsuspicious monetary transfer activities. See e.g., 18 U.S.C. §1956-57.However, these laws include specific reporting requirements that arewell known by criminal elements, and thus easily avoided by manipulatingmoney transfer activities to avoid detection. Recent events and theincreased need for public safety have suggested a need to implementheightened monitoring of suspicious activities involving electronicfinancial transactions.

Hence, among other things, this invention is related to ways to monitorand evaluate transfers for value and other financial transactions in anattempt to detect potentially suspicious activities.

BRIEF SUMMARY OF THE INVENTION

The present invention includes a variety of embodiments of both systemsand methods for evaluating value transfers for suspect activities, suchas terrorist activities, money laundering, and the like. In various ofthe embodiments, methods are provided for graduating a defined affinitybetween two or more transactions to increasing levels of scrutiny. At anincreased level of scrutiny, reports can be generated indicatingsuspicious activity and/or interdiction procedures can be implemented toreduce the occurrence of the detected suspicious activity. An embodimentof a system in accordance with the present invention includes a moneytransfer system associated with a fraud processing server. The fraudprocessing server is capable of accessing money transfer recordsassociated with the money transfer system and evaluating the records inaccordance with various methods disclosed herein.

One embodiment of the present invention provides a method for graduatedevaluation of value transfer transactions. The method includes receivinga number of transaction packages that are associated with respectivevalue transfers. Root node affinities are formed for each of thetransaction packages. The root node affinities are compared one withanother, and where matches are detected, the matching root nodeaffinities are formed into a tier one affinity. The tier one affinity,as well as some root node affinities are compared with other tier oneaffinities. Where a match is detected, the matched tier one affinities,or tier one affinity and root node affinity are combined to create acommon tier one affinity. Where a trigger level is reached, a tier oneaffinity is converted to a tier two affinity. At this point, a reportcan be generated indicating suspicious behavior associated with the tiertwo affinity. The tier two affinity is subsequently compared to tier oneaffinities and/or root node affinities. Where additional matches occursuch as, for example, three additional matches, an interdiction can beinitiated. Further, a periodic report can be generated indicating anymatches occurring in relation to the tier two affinity.

Some embodiments of the present invention provide systems for evaluatingvalue transfers. Such systems include a fraud processing computerassociated with a computer readable medium. Such a computer readablemedium can be a hard disk drive, a server database, a floppy disk,and/or the like. The computer readable medium comprises computerinstructions executable by the fraud processing computer to receive aplurality of transaction packages, and to form a plurality of root nodeaffinities associated with the respective transaction packages. Theinstructions are further executable to compare the plurality of rootnode affinities with a tier one affinity, and to assimilate at least oneof the root node affinities into the tier one affinity based on thecomparison. In particular cases, at least some of the root nodeaffinities are compared with other root node affinities, and based onthe comparison, a tier one affinity is formed from two or more of thecompared root node affinities.

In various cases, the computer instructions are further executable toreceive a trigger level that can be, for example, an affinity intensity,an event count, and/or an event occurrence. Thus for example, where anaffinity intensity is used, a trigger may occur where the affinityintensity exceeds a defined threshold. Alternatively, where an eventoccurrence is used, a trigger may occur upon the presence of aprescribed event such as, for example, a transaction exceeding tenthousand dollars. As yet another alternative, where an event count isused, a trigger may occur when a defined number of events have beenfound such as, for example, when seven matches are found to a given tierone affinity.

Where a trigger occurs, a tier one affinity can be converted to a tiertwo affinity. In some cases, the tier two affinity is locked so that itwill not age out of the system, but rather will remain in the systemuntil explicitly removed. Further, upon conversion to a tier twoaffinity, a report indicating behavior associated with the tier twoaffinity can be generated. In some manifestations of the embodiment,other tier one affinities are compared to the tier two affinity, andbased on the comparison, interdiction procedures can be initiated,and/or a periodic report can be generated. Further, where a tier oneaffinity matches the tier two affinity, the tier one affinity can beassimilated with the tier two affinity. In yet other cases, one or moreroot node affinities are compared with the tier two affinity, and basedon the comparison, interdiction procedures can be initiated, and/or aperiodic report can be generated. Further, where a root node affinitymatches the tier two affinity, the root node affinity can be assimilatedwith the tier two affinity.

In some cases, the transaction packages are comprised of a combinationof real time information and on-demand information, while in othercases, the transaction packages are comprised of either real timeinformation or on-demand information. The methods can include assemblingthe real time information and the on-demand information into theappropriate transaction packages. Further, in some cases, a gross sortis performed on a plurality of transaction packages to eliminate anumber of the transaction packages that are unlikely to indicatesuspicious activity, or which may only indicate activity at a low level.

Other embodiments of the present invention provide methods forprogressive value transfer evaluation. The methods include receiving atransaction package, and forming a root node affinity associated withthe transaction package. The root node affinity can then be compared toother root node affinities, tier one affinities, and/or tier twoaffinities. In some cases, the root node affinity is compared to a tierone affinity, and where a match occurs, the root node affinity isassimilated with the tier one affinity. The tier one affinity can beconverted to a tier two affinity based in part on the comparison withthe root node affinity. A report can be generated when the conversion tothe tier two affinity occurs.

The summary provides only a general outline of the embodiments accordingto the present invention. Many other objects, features and advantages ofthe present invention will become more fully apparent from the followingdetailed description, the appended claims and the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

A further understanding of the nature and advantages of the presentinvention may be realized by reference to the figures which aredescribed in remaining portions of the specification. In the figures,like reference numerals are used throughout several figures to refer tosimilar components. In some instances, a sub-label consisting of a lowercase letter is associated with a reference numeral to denote one ofmultiple similar components. When reference is made to a referencenumeral without specification to an existing sub-label, it is intendedto refer to all such multiple similar components.

FIG. 1 illustrates a money transfer system capable of evaluation usingsystems and methods in accordance with the present invention;

FIG. 2 illustrates a fraud watch system associated with the moneytransfer system of FIG. 1 in accordance with an embodiment of thepresent invention;

FIGS. 3 a-3 d are flow diagrams illustrating a method in accordance withembodiments of the present invention;

FIG. 4 is a graphic depiction of affinity formation and graduation asdescribed in relation to the flow diagram of FIG. 3;

FIG. 5 illustrates various exemplary transaction packages;

FIG. 6 illustrates the various exemplary transaction packages of FIG. 5after a gross sort in accordance with some embodiments of the presentinvention;

FIG. 7 illustrates various root node affinities derived from theexemplary transaction packages of FIG. 6 in accordance with someembodiments of the present invention;

FIG. 8 illustrates a tier one affinity formed in accordance withembodiments of the present invention from two of the root nodeaffinities of FIG. 7;

FIGS. 9 and 10 illustrate various previously formed tier one affinitiesin accordance with embodiments of the present invention; and

FIGS. 11 and 12 illustrate affinities formed after application of themethod of FIG. 3 in accordance with some embodiments of the presentinvention.

DETAILED DESCRIPTION OF THE INVENTION

The present invention relates to methods and systems for evaluatingelectronic value transfers for suspect activities, such as terroristactivities, money laundering, and the like. The electronic transfersevaluated may take a variety of forms. For example, such electronictransfers may take the form of traditional money transfers where themoney to be transferred is presented at a first money transfer locationand is electronically “wired” to a second money transfer location wherethe transferred money is paid to the recipient. Such money transferservices are provided by a number of companies, such as WESTERN UNION™.Other types of electronic transfers may include wire transfers from onefinancial institution to one or more other financial institutions,electronic ACH transfers, electronic transfers over networks, such asthe Internet (including those described in copending U.S. patentapplication Ser. Nos. 10/040,568, entitled “Systems and Methods ofIntroducing and Receiving Information Across a Computer Network” andfiled Jan. 4, 2002, which is incorporated herein by reference for allpurposes; 10/037,827, entitled “Methods for Receiving ElectronicallyTransferred Funds Using an Automated Teller Machine” and filed Jan. 3,2002, which is incorporated herein by reference for all purposes;09/991,497, entitled “Online Funds Transfer Method” and filed Nov. 15,2001 on a date prior hereto, which is incorporated herein by referencefor all purposes.

Further, although the invention may find its greatest use in relation tocash transfers, the present invention may be used to evaluate othertypes of value transfers as well. For example, the invention may be usedwith value transfers, such as those involving phone minutes, loyaltyprogram points and/or awards, frequent flier miles, stored valueaccounts, and the like. Thus, for purposes of this document, the termmoney transfer is defined to include any transfer of value betweenentities. Such a money transfer can include a transfer of value betweenan entity and itself, or between an entity and one or more separateentities. For example, a money transfer can include a transfer of valuebetween a first person and a second person, between a person and acorporation, between a first corporation and a second corporation,and/or between a corporation and itself. Such money transfers caninclude providing value and/or information such as, cash, checks, storedvalue cards, credit cards, debit cards, cash cards, a bank accountnumber, a frequent flyer account number, a cellular telephone accountnumber, and the like.

To monitor potentially suspicious activities, some embodiments of thepresent invention include electronically accessible records relating tomoney transfers. These records are searched according to specifiedcriteria to determine if any transactions are potentially suspect. Ifso, these records are flagged and may be separately stored for furtherevaluation. For example, in the money transfer world, certain dollarvalue transactions need to be reported to the U.S. Government. Thehistorical records may be searched for dollar ranges just below thislimit to determine if multiple transactions are made by the same personor received by the same person within a specified time in order to avoidbeing reported to the U.S. Government.

Various criteria can be defined to evaluate a money transfer system inaccordance with the present invention including certain transfer amountlimits, transactions between particular known entities, transactionsassociated with messages that are to be translated to particularlanguages, and/or transactions where the value converted to a particularform, such as, a particular foreign currency.

The systems and methods of the present invention are capable of lookingat both sides of a transaction, or only the sender or receiver side.Other embodiments provide for checking a combination of transactions todetect suspicious behavior. In some embodiments, elements of the listcan be purged based on either time, known information, or a combinationthereof. Further, elements of the list can be locked such that they arenot susceptible to any purging processes.

As with the monitoring system disclosed in the previously incorporatedU.S. patent application Ser. No. 10/091,000, entitled “Money TransferEvaluation Systems & Methods”, the systems and methods of the presentinvention can be tailored to a particular money transfer system suchthat the overall impact of any monitoring on the transfer system isreduced. Thus, for example, such systems and methods can run either inreal time or in a batched mode during off-peak time for the evaluatedmoney transfer system. In some embodiments of the present invention, anintelligent, iterative approach is applied to identify factors relatedto suspicious behavior. Such an approach can avoid a static situationthat, when known to criminal elements, is easily avoided.

The present invention provides and/or utilizes various equipment andtechniques in relation to evaluating money transfers. The presentinvention permits some form of value, such as cash, to be received andthen electronically transferred to another location where it isavailable for pickup or further processing in the same or an alternateform. In some embodiments, a money transfer mechanism is utilized toeffectuate and/or evaluate a money transfer. FIG. 1 illustrates anexemplary money transfer system 100. While FIG. 1 illustrates anexemplary money transfer mechanism, one of ordinary skill in the artwill recognize other money transfer mechanisms to which the presentinvention may be applied or used in conjunction with.

Referring to FIG. 1, money transfer system 100 is comprised of aninterface system 125, an automatic teller system (“ATM”) system 145, adeposit maintenance network 150, a credit maintenance network 160 and acentral exchange 170. Interface system 125 is communicably coupled toATM system 145 via an ATM network 140, deposit maintenance network 150and credit maintenance network 160. In general, interface system 125unifies a variety of transfer systems while supporting a variety ofmechanisms for introducing and receiving information to and/or frommoney transfer system 100.

Interface system 125 comprises a transaction center 130 and one or moreterminals 110 in communication via a transaction network 120.Transaction network 120 can be any communication network capable oftransmitting and receiving information in relation to a transfer ofvalue from one entity to another. For example, transaction network 120can comprise a TCP/IP compliant virtual private network (VPN), theInternet, a local area network (LAN), a wide area network (WAN), atelephone network, a cellular telephone network, an optical network, awireless network, or any other similar communication network. Inparticular embodiments, transaction network 120 provides message basedcommunications between terminals 110 and transaction center 130.

Terminals 110 can be any terminal or location where value is acceptedand/or provided in relation to money transfers across money transfersystem 100. Thus, in some instances, terminal 110 is a convenience storewhere a clerk can receive value from a sender and initiate transfer ofthe value to a receiver via money transfer system 100. In such cases,the clerk can typically also provide transferred value to a receiver.

In other instances, terminal 110 is an automated system for receivingvalue from a sender for transfer via money transfer system 100 and/orfor providing value to a receiver that was transferred via moneytransfer system 100. To accommodate various different paymentinstruments and types, terminal 110 can include a variety of interfaces.For example, terminal 110 can include a mechanism for receiving cash,credit cards, checks, debit cards, stored value cards and smart cards.Such terminals may also be used at the payout end to print a check ormoney order, or to credit a cash card or stored value card. Examples ofsuch terminals are described in copending U.S. application Ser. No.09/634,901, entitled “Point Of Sale Payment System,” filed Aug. 9, 2000by Randy J. Templeton et al., which is a nonprovisional of U.S. Prov.Appl. No. 60/147,899, entitled “Integrated Point Of Sale Device,” filedAug. 9, 1999 by Randy Templeton et al, the complete disclosures of whichare herein incorporated by reference for all purposes.

In yet other instances, terminal 110 is a personal computer operated bya sender of value. Such a terminal can be communicably coupled totransaction center 130 via the Internet. The terminal can furtherinclude a web browser capable of receiving commands for effectuatingtransfer of value via money transfer system 100.

Terminal identification information can be associated with each terminal110. Such identification information includes, but is not limited to, aphysical location, a telephone number, an agent identification number, aterminal identification number, a security alert status, an indicationof the type of terminal, a serial number of a CPU, an IP address, thename of a clerk, and the like.

Using money transfer system 100, value can be transferred from any of anumber of points. For example, value can be transferred from terminal110 to itself or any other terminal 110, from any terminal 110 to adeposit account via deposit maintenance network 150 or creditmaintenance network 160, from any terminal 110 to any ATM 114 via ATMnetwork 140. Many other transfers to/from ATMs 114, deposit accounts,terminals, and/or credit accounts can be accomplished using moneytransfer system 100.

Referring to FIG. 2, in accordance with some embodiments of the presentinvention, a fraud watch system 210 is provided in communication withtransaction center 130 of money transfer system 100. As illustrated,transaction center 130 includes a network processor 132 to process datareceived and transmitted via transaction network 120. Data to/fromnetwork processor 132 is available to a host 133 that may communicatewith one or more of a value translator 135, a transaction database 136,a settlement engine 137 and a messaging engine 138 to perform functionsassociated with transferring value via money transfer system 100. Inturn, messaging engine may communicate with a message translator 139.The received and/or provided by transaction center 130 may includeinformation on the sender, information on the recipient, identificationinformation associated with a terminal 110, the type and amount of valuetransferred, a desired location to transfer the value, and the like. Insome cases, a value translator 135 may be used to change the type ofvalue. For example, value translator 135 may do a foreign currencyconversion, or may transfer from one type of value to another, e.g.frequent flyer miles to United States' Dollars. All information that isprocessed may conveniently be stored in transaction database 136. Insome cases, transaction database 136 comprises both real timetransaction information and on-demand transaction information on thesame physical hardware. In other cases, one-demand transactioninformation is maintained on separate hardware from real timetransaction information. In yet other cases, transaction database 136 isactually two distinct databases—one for maintaining real timetransaction information and the other for maintaining on-demandtransaction information.

Settlement engine 137 may be used to facilitate the crediting anddebiting of various accounts during a transfer. For example, if a senderrequests that funds from a credit card account be used in the transfer,settlement engine 137 is used to contact credit maintenance network 160to charge the card and to manage the fees involved in the transaction.Such fees may be those charged by the credit organization as well asinternal fees that are a part of the money transfer transaction.Settlement engine 137 may be used in a similar manner when crediting ordebiting checking accounts, stored value accounts, customer loyaltypoints and the like.

In some cases, the sender may also wish to send a message with thevalue. Such a message may be a simple greeting, business or legal terms,and the like. Messaging engine 138 is employed to convert the message tothe proper format depending on the type of output device that is to beused with receiving the money. For example, the output device may be aprinter that physically prints the message onto some type of media.Alternatively, the message may be temporarily displayed on a displayscreen, such as on a kiosk, ATM machine, point of sale device, ane-mail, a web page or the like. The sender or recipient may alsoindicate that the message needs to be translated to a differentlanguage. In such cases, message translator 139 may be used to translatethe message into the other language. This may be accomplished by simplydoing a word look up for each corresponding word in the other language.More complex language translation capabilities may also be used.

Once a value transfer is properly processed, data indicating thetransfer is sent by a switch 134 to the appropriate network as shown.This may be to ATM network 140, deposit maintenance network 150 and/orcredit maintenance network 160 to complete the transaction.

Fraud watch system 210 includes a fraud processing server 220 and awatch database 230. Fraud watch system 210 is associated withtransaction system 130 in a manner that allows for access to transactiondatabase 136. Such association can be provided by direct wiredcommunication between transaction database 136 and fraud processingserver 220, by direct or network communication between transactioncenter 130 and fraud processing server 220, or by any other mechanismthat provides fraud watch system 210 with access to transaction database136. In one particular embodiment, fraud processing server 220 iscommunicably coupled to transaction network 120 and accesses transactiondatabase 136 via network processor 132 and host 133. In anotherembodiment, fraud processing server 220 is directly coupled to host 133and accesses transaction database 136 via host 133. It will berecognized by one of ordinary skill in the art that a number of othermechanisms exist within the scope of the present invention for providingaccess by fraud processing server 220 to transaction database 136.

Fraud processing server 220 can be any microprocessor based devicecapable of retrieving data from transaction database 136, searching andmanipulating the data, maintaining a form of the data on watch database230, and providing access to data on database 230. Such access to thedata can include formatting the data and providing the data in an easilyaccessible form. In some embodiments, fraud processing computer is asingle computer, such as a personal computer or a database server. Inother embodiments, fraud processing server is a group of two or morecomputers. In such embodiments, fraud processing computer can include acentral computer associated with one or more peripheral computers. Suchperipheral computers can be personal computers or portable devices, suchas lap top computers and/or personal digital assistants. In a particularembodiment, fraud processing server 220 includes a SQL server, while inother embodiments, it includes an ORACLE server.

Fraud processing server 220 includes a computer readable medium capableof maintaining instructions executable to perform the functionsassociated with fraud processing server 220. The computer readablemedium can be any device or system capable of maintaining data in a formaccessible to fraud processing computer 220. For example, the computerreadable medium can be a hard disk drive either integral to fraudprocessing server 220 or external to the server. Alternatively, thecomputer readable medium can be a floppy disk or a CD-ROM apart fromfraud processing server 220 and accessible by inserting into a drive(not shown) of fraud processing server 220. In yet other alternatives,the computer readable medium can be a RAM integral to fraud processingserver 220 and/or a microprocessor (not shown) within the server. One ofordinary skill in the art will recognize many other possibilities forimplementing the computer readable medium. For example, the computerreadable medium can be a combination of the aforementioned alternatives,such as, a combination of a CD-ROM, a hard disk drive and RAM.

Turning now to FIGS. 3 a through 3 d, a flow diagram 300 illustrates amethod in accordance with the present invention for monitoring a varietyof value transfers. Following flow diagram 300 of FIG. 3 a, real timetransaction data is received from one or more transaction points (block301). In addition, various transactions meeting certain thresholds arethe subject of additional data gathering. This additional data can beobtained through a periodic request, and thus is referred to ason-demand transaction information. As just some examples, where atransfer exceeds a one thousand dollar threshold, a sender may be askedfor a social security number, a driver's license number, a passportnumber, a date of birth, and/or the like. This data may not be gatheredin other situations where the transfer does not exceed the threshold,and the data may not be included in the real time data. In some cases,the real time transaction information and on-demand transactioninformation is transferred from transaction database 136 (and/or anotherdatabase) to fraud processing server 220. The on-demand transactioninformation is received (block 302), matched to correlated real timetransaction information, stripped of irrelevant fields, and assembled astransaction packages (block 303). In some cases, the on-demandinformation is requested and received every thirty days, and thus thereal time data is maintained for thirty days. Upon receiving theon-demand data, the transaction packages can then be assembled. In somecases, real time data that is not associated with on-demand data isdeleted and not assembled as transaction packages. In other cases, realtime data that is not associated with on-demand data is assembled astransaction packages.

Turning to FIG. 3 b, the transaction packages can be transferred to aroot database (block 305). A transaction package is an electronic fileincluding a set of information detailing a transaction that has beenperformed in relation to a value transfer system. As just one example, atransaction package can include the names of both the sender andrecipient in the transaction, as well as identification and contactinformation for the sender and recipient, identification of agentsinvolved in the transfer, the amount of the transfer, the type of valuetransferred, a transaction cost, and the like. Each of the transactionpackages are assigned as an individual root node of the fraud monitoringsystem (block 315). In some cases, this includes assignment by fraudprocessing server 220 as a root node within fraud watch system 210.

It is next determined if a gross sort of the existing root nodes is tobe performed (block 320). Where a gross sort is to be performed (block320), the gross sort is performed (block 325) and the root nodesidentified from the performed gross sort are deleted (block 330). Agross sort can be any preliminary sort directed at eliminating rootnodes that are associated with transaction packages that for some reasonare not thought to be suspicious. Thus, for example, a gross sort may beperformed to identify all root nodes where the associated transactionwas for less than five hundred U.S. Dollars. Upon identifying the rootnodes with transactions less than five hundred dollars, those root nodesare deleted from fraud watch system 210. Based on the disclosureprovided herein, one of ordinary skill in the art will appreciate anumber of gross sorts that can be preformed in accordance with thepresent invention.

Either where no gross sort is to be performed (block 320), or where thegross sort has been completed (blocks 325, 330), an affinity is createdfor each remaining root node (block 335). As used herein, a root nodeaffinity can be any collection of data points that includes one or moredata points derived or selected from the root node transaction packageto which the affinity is associated. Thus, as just one example, a rootnode transaction package may include the name of the sender, the name ofthe recipient, and the number of the transfer agent. In such a case, theroot node affinity associated with the root node may include acombination of the sender name and the number of the transfer agent.Based on the disclosure provided herein, one of ordinary skill in theart will recognize a number of different data elements and combinationsthereof that can form a root node affinity. Further, in some cases,affinities can be combined in which case, the resulting tier one or tiertwo affinity is a collection of data points from each of the combinedaffinities. Further, defining an affinity can include standardizing oneor more data points from a given transaction package. As just oneexample, this can include converting a transferred value to a commonvalue, such as from Mexican Pesos to US Dollars.

Each affinity associated with a root node is compared to otheraffinities within the root node (block 340). This process can continueuntil all of the root node affinities have been compared one withanother (block 350). Where a match between root node affinities isdetected (block 345), the matching root node affinities are assimilatedwith a combined affinity that is maintained as a tier one affinity(block 355). As used herein, a tier one affinity is an affinity that isformed by assimilating two or more (tier one and/or root node)affinities into a single affinity. A match can be determined in a numberof ways. For example, in one embodiment, a match occurs where three ormore data points match across two affinities. Thus, for example, wherethe sender name and the receiver name match in two affinities, thesender locations match across two affinities, and the phone numbermatches across two affinities, an affinity match will be found.Alternatively, in other embodiments, a match occurs where a single datapoint matches across two affinities. Thus, for example, where thetelephone number for a recipient in one affinity matches the telephonenumber for a recipient in another affinity, an affinity match may befound. In one particular embodiment, a match is only found where two ormore data points within the affinities match. Thus, for example, an amatch would not be found where only an exact name match was found,however, a match would be found where a phonetic name match was found inaddition to a match in the area code associated with a telephone numberin two affinities. In some cases, a match may include an exact match ofone data point, and a partial match of another data point. Based on thedisclosure provided herein, one of ordinary skill in the art willrecognize a number of basis upon which an affinity match may be definedto occur. In particular embodiments of the present invention, a userinterface is provided that allows a user to define the basis upon whicha match will be considered to occur. Once the matching affinities areassimilated with a common affinity, the root node affinities that werethe subject of the match are removed as individual affinities (block360). Again, this process is continued until all of the root nodeaffinities have been considered (block 350).

The remaining root node affinities are compared to each of the tier oneaffinities (block 307). This process continues until all of theremaining root node affinities have been compared with the tier oneaffinities (block 317). Where a match of a root node affinity is foundwith a tier one affinity (block 312), the root node affinity isassimilated with the tier one affinity (block 322) and the matched rootnode affinity is deleted from the root node (block 327). As with thepreviously discussed match process, a number of basis can be consideredto determine whether a match has occurred. Further, a user interface canbe provided that allows a user to define the basis that result in amatch.

Next, each of the tier one affinities are compared one with another(block 332). This process continues until all tier one affinities havebeen considered (block 347). Where a match is found between tier oneaffinities (block 337), the matching affinities are assimilated with acommon tier one affinity, and the matched affinities are removed fromthe system (block 342). Again, as with the previously discussed matchprocess, a number of basis can be considered to determine whether amatch has occurred. Further, a user interface can be provided thatallows a user to define the basis that result in a match.

Turning to FIG. 3 c, it is determined whether a an event trigger levelor an affinity intensity trigger level is to be used to identifyreporting (block 313). Where an affinity intensity is to be used (block313), an affinity intensity for the tier one affinities is calculated(block 318). As used herein, affinity intensity can be one or morenumbers indicating the likelihood of suspicious behavior associated witha given affinity. As just one example, an affinity intensity can be thetotal amount transferred in all transactions represented by the affinitymultiplied by the number of matches found in the individual affinitydata points. Thus, for example, where the total amount transferred istwenty-thousand, and the sender's name matches three times within theaffinity (total of three), the telephone number matches twice (total oftwo), the recipient's name matches twice (total of two), and there isone match to the combination of recipients name and agent number (totalof one). The affinity intensity may then be calculated to betwenty-thousand multiplied by eight (the total number of matchedpoints). In some cases, different matches may be weighted differently indetermining an affinity intensity. For example, a match of recipient'snames combined with agent identifications may be weighted by threehundred percent, a match of phone numbers weighted by two hundredpercent, and a match of recipient's names or sender's names weighted byone hundred percent, and a match of a sender's name to a recipient'sname weighted by seventy percent. These weightings can be multiplied bythe respective matches to derive a score, or affinity intensity aspreviously described. This affinity calculation process is repeateduntil an affinity intensity is calculated for each of the tier oneaffinities (block 328).

Alternatively, where an event trigger level is to be used (block 313), atrigger level is calculated for each of the tier one affinities (blocks323, 333). Such trigger levels can be calculated based on a number ofdifferent occurrences that are detected in relation to the respectivetier one affinities. For example, the trigger level can indicate: thenumber of transactions that are associated with the tier one affinity,the maximum amount transferred in relation to any individual within theaffinity, an amount transferred in relation to an individual within theaffinity within a given length of time, the maximum number oftransactions associated with any individual within the affinity, thetotal amount of all transactions represented by the affinity, or acombination of the aforementioned. Based on the disclosure providedherein, one of ordinary skill in the art will appreciate a myriad oftrigger levels that can be calculated.

The calculated affinity intensities or event trigger levels are thencompared to threshold levels (block 338). These threshold levels can bedefined by a user via a user interface. As just one example, a triggerthreshold may be set where an individual sends or receives transactionsall of which are less than ten thousand dollars individually, but whichaggregate to an amount that equals or exceeds fifteen thousand dollars.Such a trigger threshold may be limited to a particular window of timesuch as, for example, thirty days. Another example may be where anindividual sends or receives transactions all of which are less than tenthousand dollars individually, but which aggregate to an amount thatequals or exceeds ten thousand dollars in a seven day period. As yetanother example, a trigger threshold may be set where an individualsends or receives more than five transactions in a thirty day period.Yet another example may be set where an individual is involved in two ormore transactions between two thousand four hundred dollars and twothousand nine hundred ninety nine dollars, or some other defined limit.Yet another trigger threshold may be set where an individual sends orreceives a single transaction of between two thousand nine hundred andninety dollars and two thousand nine hundred and ninety nine dollars, orsome other determined range. Based on the disclosure provided herein,one of ordinary skill in the art will recognize a number of triggerthresholds that can be set. Affinity thresholds can be set where anaffinity intensity exceeds a predetermined level such as, for example,fifty thousand.

This comparison process is repeated for each of the tier one affinities(block 348). Where a threshold is met (block 343), the tier one affinityis forwarded to a human operator for consideration of any suspiciousactivity indicated via the tier one affinity (block 353). Where thehuman operator identifies suspicious behavior associated with theaffinity (block 358), the tier one affinity can be assigned tier twostatus and a suspicious behavior report automatically generated andprovided to the government (block 363). In some cases, the humanoperator processes (blocks 353, 358) are not performed, but rather thetier one affinity is automatically assigned tier two status and asuspicious behavior report generated and provided to the government(block 363) based on exceeding the defined event or affinity triggerlevel. Tier two affinities can be locked into the system such that theyare not aged out of the system as discussed below.

Turning now to FIG. 3 d, each of the tier one affinities and remainingroot node affinities are compared to tier two affinities (block 314).This process can continue for all of the affinities (block 324). Where amatch occurs (block 319), an interdiction process can be initiated topreclude individuals identified in the tier two affinity from using themonitored value transfer system (block 329). In addition, the matchedaffinity can be assimilated with the tier two affinity. In some cases,multiple matches to a tier two affinity are recorded before aninterdiction process is initiated. Further, where a match occurs, thematching tier one affinity or root node affinity can be assimilated withthe tier tow affinity.

In addition, each of the remaining root node affinities can be aged(block 334). This aging process can result in the removal of a root nodeaffinity from the system after a set period of time, such as thirtydays, where it is not first matched to form a tier one affinity. Inaddition, each of the tier one affinities can be aged (block 339). Thus,tier one affinities that become inactive for an extended period such asninety days from the last transaction represented in the affinity, canbe removed from the system.

Periodically, reporting rules can be applied (block 344), and reportsgenerated to the government (block 349). These reports can indicateadditional activity flagged in relation to a tier two affinity. Thus,rather than reporting each occurrence of activity in relation to a tiertwo affinity, a single report can be generated indicating all suspiciousbehavior in relation to the tier two affinity. This provides anefficient means for investigating suspicious behavior, while avoidingthe appearance of rampant illicit behavior as would be suggested throughgeneration of a report for each flagged transaction.

Turning to FIG. 4, a graphical representation 400 of the affinityprogression described in relation to FIG. 3 is provided. Elements 401,402, 403 respectively represent transaction packages A, B, C formed bycombining on-demand information and related real time information aspreviously described, or including only real time information where noon-demand information is available. The outer dark rings 481, 482, 483represent ancillary transaction information that is not used in anymonitoring. This ancillary information can include, for example,transaction costs and is generally discarded. The cross-hatched innerareas 491, 492, 493 represent transaction information that is used inrelation to the monitoring processes.

As depicted, the ancillary information 481, 482, 483 is stripped fromthe respective transaction packages 401, 402, 403, and the usabletransaction information 491, 492, 493 is formed into respective rootnode affinities 407, 408, 409. These root node affinities 407, 408, 409are then compared one to the other to determine if any matches exist.Where a match occurs, the matching root node affinities are assimilatedwith a tier one affinity. Such a match is depicted as tier one affinity417 which is formed based on a match between root node affinities 407,408. Then, the remaining root node affinity 409 is compared against thepreviously formed tier one affinities 415, 419. Where a match isdetected, the remaining root node affinity is assimilated with thematching tier one affinity. Such a match between root node affinity 409and tier one affinity 419 is depicted as tier one affinity 437. Then,each tier one affinity 415, 417, 437 is compared against each other.Where a match is detected, the matching tier one affinities areassimilated to form a common tier one affinity. Such a match betweentier one affinity 415 and tier one affinity 417 is depicted as tier oneaffinity 435.

Turning now to FIGS. 5 through 12, an exemplary data set is used toillustrate the creation and progression of affinities. FIG. 5 depicts aset of transaction packages 501, 502, 503, 504 formed from either realtime information or a combination of real time and on-demandinformation. Each transaction package includes a number of data points.For example, a variety of data points 511-528 can be provided inrelation to the sender of the transaction, a variety of data points541-550 can be provided in relation to the receiver of the transaction,and one or more general data points 530 can be provided to describe thetransaction. The sender data points can include, but are not limited to,the sender's last name 511, the sender's middle name 512, the sender'sfirst name 513, the sender's phone number 514, the sender's address 515,the sender's agent used to perform the transaction 517, the type ofagent 516, the date sent 518, the amount of value to be sent 519, thetype of value to be sent 520, an account type used to provide the sentvalue 521, an account number associated with the account type 522, thesender's social security or other identification number 523, thesender's date of birth 524, the sender's identification type 525, theissuer of the sender's identification 526, the location of the issuer ofthe sender's identification, and the identification number from thesender's identification. The recipient's data points can include, butare not limited to, the recipient's last name 541, the recipient'smiddle name 542, the recipient's first name 543, the recipient's phonenumber 544, the recipient's address 545, the recipient's agent used toperform the transaction 547, the type of agent 546, the date received548, the amount of value received 549, and the type of value received550. The general data points can include information about thetransaction including, for example, transaction costs 530.

Turning to FIG. 6 the process of gross sorting is depicted wheretransaction package 502 is eliminated from consideration. As previouslydiscussed, a gross sort can eliminate data that is unlikely to representsuspicious behavior, or is of such a low value that it is not desirableto use the data for monitoring purposes. Thus, for example, thetransaction package may be eliminated where the transaction value isbelow a set threshold. The two hundred dollar transaction of transactionpackage 502 may have been below a cutoff threshold, and thus transactionpackage 502 is removed from consideration. Further, transaction package502 may have been eliminated from consideration because it lackedon-demand information in the form of a sender's date of birth and socialsecurity number.

After the gross sort is performed, the remaining transaction packageinformation is used to form root node affinities as depicted in FIG. 7.The root node affinities 701, 703, 704 can be comprised of a subset ofdata points from respective transaction packages 501, 503, 504, can becomprised of data points derived from respective transaction packages501, 503, 504, or can be comprised of a combination thereof. Thedepicted exemplary root node affinities are comprised of a combinationof data points directly from and others derived from respectivetransaction packages.

As depicted, root node affinities 701, 703, 704 include a last and firstname data point 711. This data point is a combination of the last name511 and first name 513 data points from the respective transactionpackages. Further, data point 711 is expanded to include a number ofaliases known to be used in relation to the first name. This can be doneusing alias determination software as is known in the art. Thus, as anexample, root node affinity 701 includes three last name/first name datapoints 711 representing three different variations of the name “Samuel”.In addition, the last name/first name combination is reformed into aphonetic spelling with a truncated first name making matching the nameless susceptible to misses where the name is misspelled, or spelled indifferent ways. This phonetic spelling is maintained as data point 712.This phonetic spelling can be obtained using techniques known to thoseof skill in the art such as, for example, using phonetic generationsoftware. In addition, affinities 701, 703, 704 include a combination oflast name, first name, and agent identification maintained as data point713. Where a match is found for this combination a strong affinity isindicated, and such a match can be used to create an increased affinityintensity as previously described. Similar data points 714, 715, 716 areformed using the recipient's information.

In addition, affinities 701, 703, 704 include the sender's phone number514 and the recipient's phone number 544 selected directly fromrespective transaction packages 501, 503, 504. Further, the addressinformation from transaction packages 501, 503, 504 can be used togeneralize the sender's and recipient's location. This can begeneralized to, for example, a region, city, state, country, zip code,or the like. This generalized location is maintained as data points 717,718 in the respective affinities 701, 703, 704. Also, the sendersaccount number 522 and date of birth 524, where available, are includedin the respective affinities. A combination of the ID type, issuer andnumber is also included as data point 719. The amount transferred isconverted to a common value and maintained as data point 720. Thiscommon value can be the transferred value converted to a common currencytype such as U.S. Dollars. Thus, for example, where the transferredvalue is in Brazilian Reales, the amount it converted to U.S. Dollarsusing recent conversion tables, and the converted amount is maintainedas common value 720.

As previously discussed in relation to FIG. 4, root node affinity A 703and root node affinity B 704 include a match, and are thus assimilatedwith a common tier one affinity 800 depicted in FIG. 8. As depicted, anumber of matches occur. These matches include a match of the sender'sname, and the agent identification used by the sender. Created tier oneaffinity 800 thus includes all data points included in the underlyingroot node affinities 703, 704. Each of these data points can then becompared with other root node affinities, tier one affinities, and tiertwo affinities to determine matches. The larger an affinity grows, themore likely is it to be involved in matches because of the increase indata points maintained in the affinity.

FIGS. 9 and 10 depict previously formed tier one affinities 900 and1000, respectively. Tier one affinity 900 matches tier one affinity 800,and the two are assimilated to form a new tier one affinity 1100 asdepicted in FIG. 11. The match can be for example, the name and locationof the recipient (Benjamin Thomas) of data set 704 matches that of thesender of data set 910. Similarly, the root node affinity 701 matchesthe previously formed tier one affinity 1000, and the two areassimilated to form a new tier one affinity 1200 as depicted in FIG. 12.As depicted, the match that caused the formation of tier one affinity1200 is the common recipient (Leonard Jackson) and common agent number.

The invention has now been described in detail for purposes of clarityand understanding. However, it will be appreciated that certain changesand modifications may be practiced within the scope of the appendedclaims. For example, other criteria may be used for identifyingrelationships between reference designators and money transfer records.Additionally, other criteria may be used for analyzing a money transferdatabase using the reference designators. Thus, although the inventionis described with reference to specific embodiments and figures thereof,the embodiments and figures are merely illustrative, and not limiting ofthe invention. Rather, the scope of the invention is to be determinedsolely by the appended claims.

What is claimed is:
 1. A method for progressive value transferevaluation, the method comprising: receiving, by a computer system, afirst transaction package comprising a plurality of first transactiondata points; forming, by the computer system, a first root node affinityassociated with the first transaction package, the first root nodeaffinity comprising a first text string representing at least one of theplurality of first transaction data points as one of a set of predefinedroot transaction data types; comparing, by the computer system, thefirst root node affinity with a tier one affinity, the tier one affinitycomprising a second text string representing an assimilation of a secondroot node affinity with at least one of a plurality of secondtransaction data points, the plurality of second transaction data pointsbeing received as at least a portion of a second transaction;assimilating, by the computer system, the first root node affinity withthe tier one affinity into a third text string based at least in part onthe comparison; converting, by the computer system, the tier oneaffinity to a tier two affinity based at least in part on the comparisonwith the root node affinity, the tier two affinity comprising the thirdtext string; and generating, by the computer system, a report associatedwith the tier two affinity.
 2. The method of claim 1, wherein thecomparison between the tier one affinity and the root node affinitysatisfies a trigger level, and wherein the converting the tier oneaffinity to a tier two affinity is based at least in part on satisfyingthe trigger level.
 3. The system of claim 2, wherein the trigger levelis selected from a group consisting of: an affinity intensity, an eventcount, and an event occurrence.
 4. The method of claim 1, wherein thetier one affinity is a first tier one affinity, the method furthercomprising: forming a second tier one affinity; comparing the secondtier one affinity with the tier two affinity; and based at least in parton the comparison, initiating interdiction procedures in relation to thetier two affinity.
 5. The method of claim 1, wherein the tier oneaffinity is a first tier one affinity, the method further comprising:forming a second tier one affinity; comparing the second tier oneaffinity with the tier two affinity; and based at least in part on thecomparison, generating a report indicating a result related to thecomparison of the second tier one affinity with the tier two affinity ata defined period.
 6. The method of claim 5, wherein the transactionpackage is a first transaction package, and wherein forming the secondtier one affinity comprises: receiving a second transaction package anda third transaction package; forming a second root node affinityassociated with the second transaction package; forming a third rootnode affinity associated with the third transaction package; comparingthe second root node affinity with the third root node affinity.
 7. Themethod of claim 1, wherein the transaction package is a firsttransaction package, and wherein the root node affinity is a first rootnode affinity; the method further comprising: receiving a secondtransaction package; forming a second root node affinity associated withthe second transaction package; comparing the second root node affinitywith the tier two affinity; based at least in part on the comparison,performing a function selected from a group consisting of: generating areport indicating a result related to the comparison of the second rootnode affinity with the tier two affinity at a defined period; andinitiating interdiction procedures in relation to the tier two affinity.8. The method of claim 1, wherein the transaction package is a firsttransaction package, wherein the root node affinity is a first root nodeaffinity, wherein the tier one affinity is a first tier one affinity;the method further comprising: receiving a second transaction package;forming a second root node affinity associated with the secondtransaction package; comparing the second root node affinity with asecond tier one affinity; based at least in part on the comparison,assimilating the second root node affinity with the second tier oneaffinity; comparing the second tier one affinity with the tier twoaffinity; based on the comparison of the second tier one affinity withthe tier two affinity, performing a function selected from a groupconsisting of: generating a report indicating a result related to thecomparison of the second root node affinity with the tier two affinityat a defined period; and initiating interdiction procedures in relationto the tier two affinity.
 9. A method for graduated evaluation of valuetransfer transactions, the method comprising: receiving, by a computersystem, a first transaction package; receiving, by the computer system,a second transaction package; receiving, by the computer system, a thirdtransaction package; receiving, by the computer system, a fourthtransaction package; forming, by the computer system, a first root nodeaffinity associated with the first transaction package; forming, by thecomputer system, a second root node affinity associated with the secondtransaction package; forming, by the computer system, a third root nodeaffinity associated with the third transaction package; forming, by thecomputer system, a fourth root node affinity associated with the fourthtransaction package; comparing, by the computer system, the first rootnode affinity with the second root node affinity; based at least in parton the comparison of the first root node affinity with the second rootnode affinity, forming, by the computer system, a first tier oneaffinity; comparing, by the computer system, the first tier one affinitywith the third root node affinity; based at least in part on thecomparison of the first tier one affinity with the third root nodeaffinity, converting, by the computer system, the first tier oneaffinity to a tier two affinity; comparing, by the computer system, thetier two affinity to the fourth root node affinity and to a second tierone affinity; based at least in part on the comparison of the tier twoaffinity to the fourth root node affinity and to a second tier oneaffinity, performing, by the computer system, a function selected from agroup consisting of: generating, by the computer system, a reportindicating a result related to the comparison of the tier two affinitywith the fourth root node affinity and the second tier one affinity; andinitiating, by the computer system, interdiction procedures in relationto the tier two affinity.